Build and Release #25
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and Release | |
on: workflow_dispatch | |
defaults: | |
run: | |
# necessary for windows | |
shell: bash | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4.1.7 | |
- uses: actions-rust-lang/setup-rust-toolchain@v1 | |
- uses: arduino/setup-protoc@v3 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Running examples | |
run: | | |
cargo run | |
prepare-release: | |
needs: test | |
runs-on: ubuntu-latest | |
outputs: | |
sha: ${{ steps.commit.outputs.sha }} | |
version: ${{ steps.store-version.outputs.version }} | |
steps: | |
- uses: actions/checkout@v4.1.7 | |
name: Fetch entire history (for conventional commits) | |
with: | |
fetch-depth: 0 | |
- name: Configure Git | |
run: | | |
git config --global user.name GitHub Actions | |
git config user.email github-actions@github.com | |
- name: Install Knope | |
uses: knope-dev/action@v2.1.0 | |
with: | |
version: 0.18.0 | |
- run: knope prepare-release --verbose | |
name: Update versioned files and changelog | |
- name: Store commit | |
id: commit | |
run: echo "sha=$(git rev-parse HEAD)" >> $GITHUB_OUTPUT | |
- name: Store version | |
id: store-version | |
run: echo "version=$(knope get-version)" >> $GITHUB_OUTPUT | |
build-artifacts: | |
needs: prepare-release | |
strategy: | |
matrix: | |
include: | |
- target: x86_64-unknown-linux-gnu | |
os: ubuntu-latest | |
- target: aarch64-apple-darwin | |
os: macos-latest | |
- target: x86_64-pc-windows-msvc | |
os: windows-latest | |
runs-on: ${{ matrix.os }} | |
permissions: | |
contents: read | |
id-token: write | |
env: | |
archive_name: rhai-test | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
ref: ${{ needs.prepare-release.outputs.sha }} | |
- uses: actions-rust-lang/setup-rust-toolchain@v1 | |
with: | |
target: ${{ matrix.target }} | |
- uses: arduino/setup-protoc@v3 | |
with: | |
repo-token: ${{ secrets.GITHUB_TOKEN }} | |
# Authenticate to GCP using Workload Identity Federation. | |
# We set up the WI provider in the `github_actions_federation` resource in the | |
# `platform-infrastructure` repository. | |
- id: google-auth | |
uses: "google-github-actions/auth@v2" | |
with: | |
workload_identity_provider: "projects/865738624352/locations/global/workloadIdentityPools/github-d8bck/providers/github-d8bck" | |
service_account: apollosolutions-rhai-test@platform-mgmt-service-e0izz.iam.gserviceaccount.com | |
project_id: platform-cross-environment | |
# Gets some secrets from Google Secret Manager. | |
- id: gsm-secrets | |
uses: "google-github-actions/get-secretmanager-secrets@v2" | |
with: | |
# The format of each line here is OUTPUTNAME:PROJECT/SECRET; you can | |
# read the secrets later in this file with | |
# `steps.gsm-secrets.outputs.OUTPUTNAME`. These secrets are created in | |
# the `argo` resource in the `domain-deployment` repository. | |
secrets: |- | |
MACOS_CERT_BUNDLE_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_PASSWORD | |
MACOS_CERT_BUNDLE_BASE64:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_CERT_BUNDLE_BASE64 | |
MACOS_NOTARIZATION_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_NOTARIZATION_PASSWORD | |
MACOS_KEYCHAIN_PASSWORD:platform-mgmt-secrets-3xnc4/apollosolutions-rhai-test-MACOS_KEYCHAIN_PASSWORD | |
- name: Build | |
run: cargo build --release --target ${{ matrix.target }} | |
- name: Sign Apple Binary | |
if: ${{ matrix.os == 'macos-latest' }} | |
run: | | |
MACOS_CERT_BUNDLE_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_PASSWORD}} | |
MACOS_CERT_BUNDLE_BASE64=${{steps.gsm-secrets.outputs.MACOS_CERT_BUNDLE_BASE64}} | |
MACOS_KEYCHAIN_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_KEYCHAIN_PASSWORD}} | |
MACOS_NOTARIZATION_PASSWORD=${{steps.gsm-secrets.outputs.MACOS_NOTARIZATION_PASSWORD}} | |
APPLE_TEAM_ID="YQK948L752" | |
APPLE_USERNAME="opensource@apollographql.com" | |
echo "Pre-check: Valid Codesigning Identify" | |
security find-identity -v -p codesigning | |
echo "Pre-check: Codesigning Identify" | |
security find-identity -p codesigning | |
echo "Pre-check: Any Identify" | |
security find-identity | |
echo "|||||||||||||||||||||||||||||||||||||||||||||" | |
VERSION=${{ needs.prepare-release.outputs.version }} | |
BINARY_PATH=target/${{ matrix.target }}/release/${{ env.archive_name }} | |
ENTITLEMENTS_PATH="macos-entitlements.plist" | |
# Create a temporary keychain | |
KEYCHAIN_NAME="rhaitest-keychain" | |
mkdir $KEYCHAIN_NAME | |
echo "Creating keychain..." | |
security create-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
echo "Removing relock timeout on keychain..." | |
security set-keychain-settings $KEYCHAIN_NAME | |
echo "Decoding certificate bundle..." | |
echo "${MACOS_CERT_BUNDLE_BASE64}" | base64 --decode > $KEYCHAIN_NAME/certificate.p12 | |
echo "Importing codesigning certificate to build keychain..." | |
security import $KEYCHAIN_NAME/certificate.p12 -k $KEYCHAIN_NAME -P "${MACOS_CERT_BUNDLE_PASSWORD}" -T /usr/bin/codesign | |
echo "Adding the codesign tool to the security partition-list..." | |
security set-key-partition-list -S "apple-tool:,apple:,codesign:" -s -k "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
echo "Setting default keychain..." | |
security default-keychain -d user -s $KEYCHAIN_NAME | |
echo "Unlocking keychain..." | |
security unlock-keychain -p "${MACOS_KEYCHAIN_PASSWORD}" $KEYCHAIN_NAME | |
echo "Verifying keychain is set up correctly..." | |
security find-identity -v -p codesigning | |
echo "|||||||||||||||||||||||||||||||||||||||||||||" | |
echo "Post-check: Valid Codesigning Identify" | |
security find-identity -v -p codesigning | |
echo "Post-check: Codesigning Identify" | |
security find-identity -p codesigning | |
echo "Post-check: Any Identify" | |
security find-identity | |
echo "|||||||||||||||||||||||||||||||||||||||||||||" | |
# Sign the binary | |
echo "Signing code (step 1)..." | |
codesign --sign "$APPLE_TEAM_ID" --options runtime --entitlements $ENTITLEMENTS_PATH --force --timestamp "$BINARY_PATH" -v | |
echo "Signing code (step 2)..." | |
codesign -vvv --deep --strict "$BINARY_PATH" | |
echo "Zipping dist..." | |
mkdir "$KEYCHAIN_NAME/dist" | |
cp "$BINARY_PATH" "$KEYCHAIN_NAME/dist/rhaitest" | |
zip -r "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" "$KEYCHAIN_NAME/dist" | |
echo "Beginning notarization process..." | |
xcrun notarytool submit "$KEYCHAIN_NAME/rhaitest-$VERSION.zip" --apple-id "$APPLE_USERNAME" --password "$MACOS_NOTARIZATION_PASSWORD" --team-id "$APPLE_TEAM_ID" --wait --timeout 20m | |
- name: Create Archive Folder | |
run: mkdir ${{ env.archive_name }} | |
- name: Copy Unix Artifact | |
if: ${{ matrix.os != 'windows-latest' }} | |
run: cp target/${{ matrix.target }}/release/${{ env.archive_name }} ${{ env.archive_name }} | |
- name: Copy Windows Artifact | |
if: ${{ matrix.os == 'windows-latest' }} | |
run: cp target/${{ matrix.target }}/release/${{ env.archive_name }}.exe ${{ env.archive_name }} | |
- name: Create Tar Archive | |
run: tar -czf ${{ env.archive_name }}-${{ matrix.target }}.tgz ${{ env.archive_name }} | |
- name: Upload Artifact | |
uses: actions/upload-artifact@v4.4.0 | |
with: | |
name: ${{ matrix.target }} | |
path: ${{ env.archive_name }}-${{ matrix.target }}.tgz | |
if-no-files-found: error | |
release: | |
needs: [build-artifacts, prepare-release] | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4.1.7 | |
with: | |
ref: ${{ needs.prepare-release.outputs.sha }} | |
- uses: actions/download-artifact@v4.1.8 | |
with: | |
path: artifacts | |
merge-multiple: true | |
- run: | | |
cd artifacts | |
ls | |
cd .. | |
- name: Install the latest Knope | |
uses: knope-dev/action@v2.1.0 | |
with: | |
version: 0.11.0 | |
- run: knope release --verbose | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
- name: Update Installer version | |
run: | | |
VERSION=$(knope get-version) | |
sed -i "s/PACKAGE_VERSION=\"v[0-9]*\.[0-9]*\.[0-9]*\"/PACKAGE_VERSION=\"v$VERSION\"/" installers/nix/install.sh | |
git config --global user.name GitHub Actions | |
git config user.email github-actions@github.com | |
git add . | |
git commit -m "Update installer version to v$VERSION" | |
git push |